You could set it up on your own fork of Metron in Github. Then you can tell us if it is useful at all.
On Sat, May 28, 2016 at 2:36 PM, zeo...@gmail.com <zeo...@gmail.com> wrote: > So I did a bit of digging today and I found a few op > <https://en.wikipedia.org/wiki/PMD_(software)>tions, but so far my > favourite is Coverity Scan <https://scan.coverity.com/travis_ci>. I've > never used this product before, so I'm not exactly sure what to expect, but > I guess anyone can kick off a scan of an open source project and get > results within 48 hours. I was in the process of registering Metron to be > scanned but I found some things in their scan user agreement which I wasn't > sure everybody would be in line with (see below for the excerpts - note I > did NOT read the entire document and IANAL). > > Here's the TL;DR of what Coverity Scan is: > > Coverity Scan <http://scan.coverity.com/> is a free static code analysis > tool for Java, C, C++, C# and JavaScript. > > This addon leverages the Travis-CI infrastructure to automatically run code > analysis on your GitHub projects. > > Coverity Scan is a service by which Coverity provides the results of > analysis on open source coding projects to open source code developers that > have registered their products with Coverity Scan. > > Some examples of defects and vulnerabilities found by Coverity Quality > Advisor include: > > - resources leaks > - dereferences of NULL pointers > - incorrect usage of APIs > - use of uninitialized data > - memory corruptions > - buffer overruns > - control flow issues > - error handling issues > - incorrect expressions > - concurrency issues > - insecure data handling > - unsafe use of signed values > - use of resources that have been freed > > Register your project with Coverity Scan by completing the project > registration form found at scan.coverity.com. Upon your completion of > project registration (including acceptance of the Scan User Agreement) and > your receipt of confirmation of registration of your project, you will be > able to download the Software required to submit a build of your code for > analysis by Coverity Scan. You may then download the Software, complete a > build and submit your Registered Project build for analysis and review in > Coverity Scan. Coverity Scan is only available for use with open source > projects that are registered with Coverity Scan. > Here are some interesting snippets from their scan user agreement: > > Your use of our software is acceptance of our Terms > <https://scan.coverity.com/policy> > > You will not disassemble, decompile, reverse engineer, modify or create > derivative works of Our Service, software products or documentation nor > permit any third party to do so, except to the extent such restrictions are > prohibited by applicable mandatory local law > > You will not disclose to any third party any comparison of the results of > operation of Our Service or software products with other services or > products, except as expressly permitted by this Agreement > > You will not publish any findings regarding or resulting from use of the > Service or the Software > > You agree that We may use Your name and logo (in a form approved by You) > and Registered Product information to identify You and such project as a > participant of Our Scan Program on Our website or in Our marketing or > publicity materials or in any filings made in connection with state or > federal securities laws. > > Additionally, upon execution of this Agreement, the parties will use > commercially reasonable efforts to issue mutually agreed upon joint press > releases or other public communications announcing Your entry into this > Agreement. > > At Our written request, You will furnish Us with (a) a certification signed > by an officer of Your company providing user or access information that > identifies whether the Service and the Software is being used in accordance > with the terms of this Agreement, and (b) log files from any License > Manager. Upon at least thirty (30) days prior written notice, We may > engage, at Our expense, an independent auditor to audit Your use of the > Service and the Software to ensure that You are in compliance with the > terms of this Agreement. ... You will provide the auditor with access to > the relevant records and facilities. > > Jon > > On Fri, May 27, 2016 at 11:14 AM zeo...@gmail.com <zeo...@gmail.com> > wrote: > > > There's nothing built-in with Travis, but we could install a tool to do > > this as part of the installation of tools on the build box. I'm gonna > > reach out to people in my local circle who specialize in secure code > > analysis and see what all of the options are. > > > > Jon > > > > On Fri, May 27, 2016 at 9:50 AM Nick Allen <n...@nickallen.org> wrote: > > > >> I completely agree that we will need some focus on this. > >> > >> What could Travis do for us? I wasn't aware that they offered security > >> scanning. > >> > >> Are you aware of any security scan services that offer free support to > >> open > >> source projects? > >> > >> On Fri, May 27, 2016 at 9:42 AM, zeo...@gmail.com <zeo...@gmail.com> > >> wrote: > >> > >> > So I've never done anything like this before in Travis but I have done > >> IDE > >> > plugins and pre prod scans in the past at large companies which worked > >> > well. I floated the idea past a friend working at Travis and she said > >> if > >> > we go that route she would assist. > >> > > >> > I just think that if this is integrated from the beginning and fail > >> builds > >> > on critical issues (to start), this could be a big differentiator, > >> > especially because we're talking about a security platform that > >> centralizes > >> > tons of sensitive information, tries to parse almost anything that's > >> thrown > >> > at it (think of what's been happening to AV products recently), and is > >> open > >> > source for bad guys to dig into much more easily. > >> > > >> > Jon > >> > > >> > On Fri, May 27, 2016, 09:34 Nick Allen <n...@nickallen.org> wrote: > >> > > >> > > I am not aware of any discussions around this, Jon. What are you > >> > thinking? > >> > > > >> > > On Thu, May 26, 2016 at 4:35 PM, zeo...@gmail.com <zeo...@gmail.com > > > >> > > wrote: > >> > > > >> > > > I was just wondering if there is any sort of static (or even > >> dynamic) > >> > > code > >> > > > analysis, or penetrating testing/vulnerability assessment, > >> occurring at > >> > > any > >> > > > point on the metron code. Has there been any discussion of > >> installing > >> > > > something along those lines on the Travis build server (if it > isn't > >> > there > >> > > > already)? Thanks, > >> > > > > >> > > > Jon > >> > > > -- > >> > > > > >> > > > Jon > >> > > > > >> > > > >> > > > >> > > > >> > > -- > >> > > Nick Allen <n...@nickallen.org> > >> > > > >> > -- > >> > > >> > Jon > >> > > >> > >> > >> > >> -- > >> Nick Allen <n...@nickallen.org> > >> > > -- > > > > Jon > > > -- > > Jon > -- Nick Allen <n...@nickallen.org>
